FINSO PAY PERSONAL DATA RETENTION AND DISPOSAL POLICY
FINSO PAY PERSONAL DATA RETENTION AND DISPOSAL POLICY
1. INTRODUCTION
1.1. PURPOSE
The purpose of this policy is regarding the processes of storage, deletion, destruction or anonymization of personal data processed by the Controller (Data Controller) wholly or partially automatically or by non-automatic means provided that it is part of any data filing system or by means intended to form part of a filing system. to determine the principles and procedures.
1.2. LEGAL BASIS
This Policy; It has been prepared in accordance with the “Regulation on the Deletion, Destruction or Anonymization of Personal Data” based on the third paragraph of Article 7 and the first paragraph of Article 22 of the Law No. 6698.
1.3. DATA CONTROLLER BASIS
Data Controller; It has prepared this personal data storage and destruction policy in accordance with the personal data processing inventory.
1.4. SCOPE OF THE POLICY
This Policy covers Finso Finansal Teknoloji Çözümleri Anonim Şirketi, as the Data Controller, to inform about the following:
1.4.1 The purpose of the policy and the provisions of the underlying legislation, the implementation procedures within the Data Controller
1.4.2 Legal and technical terms and definitions included in the Personal Data Retention and Disposal Policy
1.4.3 Purposes and legal reasons for the storage of personal data
1.4.4 All kinds of recording media where Personal Data is recorded
1.4.5 Explanations on legal, technical or other reasons that require the retention and disposal of personal data
1.4.6 The technical and administrative measures taken by the Data Controller for the safe storage of personal data and the prevention of unlawful processing and access
1.4.7 Technical and administrative measures taken for the legal destruction of personal data
1.4.8 The titles, units and job descriptions of those involved in the storage and destruction of personal data
1.4.9 Table showing storage and disposal times
1.4.10 Periodic destruction times and methods of destruction
1.4.11 If the current personal data retention and destruction policy has been updated, information regarding the said change
2. DEFINITIONS
2.1 Recipient Group: It is the natural or legal person category to which personal data is transferred by the data controller.
2.2 Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
2.3 Destruction: It is the process of deletion, destruction or anonymization of personal data.
2.4 Recording Environment: It refers to any environment in which personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system.
2.5 Electronic Media: Environments where personal data can be created, read, changed and written with electronic devices.
2.6 Non-Electronic Media: All written, printed, visual etc. other than electronic media. other environments.
2.7 Service Provider: A natural or legal person who provides services within the framework of a specific contract with the Data Controller.
2.8 Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; It is the inventory that they create by associating personal data with the processing purposes, data category, transferred recipient group and data subject group, and detailing the maximum period required for the purposes for which personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security.
2.9 Personal Data Retention and Disposal Policy: This is the policy on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization.
2.10 Periodic Disposal: It refers to the deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all the conditions for processing personal data in the law are eliminated.
2.11 Registry: It refers to the registry of data controllers kept by the Presidency of the Personal Data Protection Authority.
2.12 Data Registration System: It refers to the registration system in which personal data is processed and structured according to certain criteria.
2.13 Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. Deletion of Personal Data: Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way.
2.14 Deletion of Personal Data: Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way.
2.15 Destruction of Personal Data: Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.
2.16 Anonymization of Personal Data: It is the rendering of personal data that cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. In order for personal data to be anonymized; Personal data must be rendered incapable of being associated with an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning and matching the data with other data by the data controller, recipient or recipient groups.
2.17 Relevant Person: Refers to the natural person whose personal data is processed.
2.18 Explicit Consent: It refers to the consent that is based on information and freely expressed regarding a certain subject.
2.19 Personal Data Protection Commission: It means the commission established within the Data Controller and involved in the PDP Law processes (“PDP Law Commission”).
3. 3 DISTRIBUTION OF DUTIES
The Data Controller, all its units and employees, as well as the responsible implementation of the technical and administrative measures taken within the scope of the Policy, training and awareness of the unit employees, prevention of unlawful processing of personal data by monitoring and continuous inspection, prevention of unlawful access to personal data, and In order to ensure that personal data is kept in accordance with the law, it actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed.
The distribution of the titles, units and job descriptions of those involved in the storage and destruction processes of personal data is given in Table 1.
Table 1: Units in Storage Processes and Distribution of Duties
Title | Unit | Duty |
Director of Human Resources | Human Resources | It is responsible for the processes related to the employees and employee candidates, the management of the data collected in these processes and the compliance of the destruction processes with the PDP Law and this policy. |
IT Unit Manager | Information Processing Unit | It is responsible for the management of all IT processes of the company and the compliance of destruction processes with PDP Law and this policy. |
Finance Director | Finance Units, Human Resources, Procurement | It is responsible for the Finance and Accounting processes, the management of the data collected in these processes and the compliance of the destruction processes with the PDP Law and this policy. |
Marketing Manager | Marketing Unit | It is responsible for marketing processes, management of personal data collected in these processes and compliance of destruction processes with PDP Law and this policy. |
Headquarters | General Manager, Deputy General Manager | It is responsible for monitoring that all units act in accordance with PDP Law and fulfill the necessary destruction processes within the scope of PDP Law. |
Technical Unit Manager | Technical Staff, Data Processing Unit | It is responsible for the monitoring of Information Security processes, the storage of Personal Data in electronic media, the control of the access rights of the Personnel, the announcement of the procedures to the Personnel, and the follow-up of the embezzlement processes. |
Legal Unit | Legal Counseling, Legal Department, Lawyers | It is responsible for the determination of personal data transfers in contract processes, ensuring the signing of appropriate transfer agreements and protocols, preparation and follow-up of personnel confidentiality procedures and undertakings, compliance with PDP Law and destruction of data collected regarding legal processes. |
Personal Data Protection Commission | It is responsible for the management and follow-up of the personal data processes processed by all units and the follow-up of compliance with this policy. |
4. RECORDING ENVIRONMENTS REGULATED BY PERSONAL DATA STORAGE AND DISPOSAL POLICY
4.1 Paper Media:
4.2 Electronic Media:
5. LEGAL REASONS FOR KEEPING
5.1 Law No. 6698 on the Protection of Personal Data
5.2 Turkish Code of Obligations No. 6098
5.3 Public Procurement Law No. 4734
5.4 Civil Servants Law No. 657
5.5 Social Insurance and General Health Insurance Law No. 5510
5.6 Arrangement of Publications on the Internet No. 5651 and These Publications
5.7 Law on Combating Crimes Committed by
5.8 Public Financial Management Law No. 5018
5.9 Occupational Health and Safety Law No. 6331
5.10 Law on Access to Information No. 4982
5.11 Law No. 3071 on the Use of the Right to Petition
5.12 Labor Law No. 4857
5.13 Higher Education Law No. 2547
5.14 Retirement Health Law No. 5434
5.15 Social Services Law No. 2828
5.16 Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments
5.17 Regulation on Archive Services
5.18 Regulation on Personal Health Data
5.19 Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions
5.20 It is stored as long as the storage periods stipulated in the framework of other secondary regulations in force in accordance with these laws.
5. PROCESSING OBJECTIVES THAT REQUIRE STORAGE
6.1 Execution of Emergency Management Processes
6.2 Execution of Information Security Processes
6.3 Execution of Employee Candidate/Intern/Student Selection and Placement Processes
6.4 Execution of Application Processes of Employee Candidates
6.5 Execution of Employee Satisfaction and Loyalty Processes
6.6 Fulfillment of Employment and Legislation Obligations for Employees
6.7 Execution of Benefits and Benefits Processes for Employees
6.8 Conducting Audit/Ethics Activities
6.9 Conducting Educational Activities
6.10 Execution of Access Authorizations
6.11 Execution of Activities in Compliance with the Legislation
6.12 Execution of Finance and Accounting Affairs
6.13 Execution of Company/Product/Services Loyalty Processes
6.14 Providing Physical Space Security
6.15 Execution of Assignment Processes
6.16 Follow-up and Execution of Legal Affairs
6.17 Conducting Internal Audit/Investigation/Intelligence Activities
6.18 Execution of Communication Activities
6.19 Planning of Human Resources Processes
6.20 Execution/Audit of Business Activities
6.21 Execution of Occupational Health/Safety Activities
6.22 Receiving and Evaluating Suggestions for Improvement of Business Processes
6.23 Conducting Business Continuity Ensuring Activities
6.24 Execution of Logistics Activities
6.25 Execution of Goods/Service Procurement Processes
6.26 Execution of Goods/Services After Sales Support Services
6.27 Execution of Goods/Service Sales Processes
6.28 Execution of Goods/Services Production and Operation Processes
6.29 Execution of Customer Relationship Management Processes
6.30 Execution of Activities for Customer Satisfaction
6.31 Organization and Event Management
6.32 Conducting Marketing Analysis Studies
6.33 Execution of Performance Evaluation Processes
6.34 Execution of Advertising/Campaign/Promotion Processes
6.35 Execution of Risk Management Processes
6.36 Execution of Storage and Archive Activities
6.37 Conducting Social Responsibility and Civil Society Activities
6.38 Execution of Contract Processes
6.39 Execution of Sponsorship Activities
6.40 Execution of Strategic Planning Activities
6.41 Follow-up of Requests/Complaints
6.42 Ensuring the Security of Movable Property and Resources
6.43 Execution of Supply Chain Management Processes
6.44 Execution of Wage Policy
6.45 Execution of Marketing Processes of Products/Services
6.46 Ensuring the Security of Data Controller Operations
6.47 Foreign Personnel Work and Residence Permit Procedures
6.48 Execution of Investment Processes
6.49 Execution of Talent/Career Development Activities
6.50 Providing Information to Authorized Persons, Institutions and Organizations
6.51 Execution of Management Activities
6.52 Creating and Tracking Visitor Records
7. REASONS FOR DISPOSAL
7.1 Personal data; Amendment or repeal of the provisions of the relevant legislation, which are the basis for processing,
7.2 The disappearance of the purpose requiring its processing or storage,
7.3 In cases where the processing of personal data takes place only on the basis of express consent, the data subject withdraws his explicit consent,
7.4 In accordance with Article 11 of the Law, the application made by the Authority regarding the deletion and destruction of personal data within the framework of the rights of the person concerned,
7.5 In the event that the Institution rejects the application made by the person concerned with the request for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the time stipulated in the Law;
7.6 Making a complaint to the Board and this request being approved by the Board,
7.7 In cases where the maximum period for keeping personal data has passed and there is no condition to justify keeping personal data for a longer period of time,
7.8 It is deleted, destroyed or ex officio deleted, destroyed or anonymized by the Data Controller upon the request of the person concerned.
8. TECHNICAL AND ADMINISTRATIVE MEASURES TO BE TAKEN TO SECURE STORAGE OF PERSONAL DATA AND TO PREVENT THEIR UNLAWFUL PROCESSING AND ACCESS
8.1 Network security and application security are provided.
8.2 A closed system network is used for data transfers via the network.
8.3 Key management is implemented.
8.4 Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
8.5 An authorization matrix has been created for employees.
8.6 Access logs are kept regularly.
8.7 Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
8.8 Data masking method is applied when necessary.
8.9 Personal data security issues are reported quickly.
8.10 Personal data security is monitored.
8.11 Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
8.12 The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
8.13 The security of environments containing personal data is ensured.
8.14 Personal data is backed up and the security of the backed up personal data is also ensured.
8.15 User account management and authorization control system are implemented and these are also followed.
8.16 In-house periodic and/or random audits are conducted and made.
8.17 Log records are kept without user intervention.
8.18 Existing risks and threats have been identified.
8.19 If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using a KEP or corporate mail account.
8.20 Secure encryption/cryptographic keys are used for sensitive personal data and are managed by different units.
8.21 Intrusion detection and prevention systems are used.
8.22 Penetration test is applied.
8.23 Cyber security measures have been taken and their implementation is constantly monitored.
8.24 Encryption is done.
8.25 Data processing service providers are periodically audited on data security.
8.26 Awareness of data processing service providers on data security is provided.
8.27 Data loss prevention software is used.
8.28 There are disciplinary regulations that include data security provisions for employees.
8.29 Training and awareness activities are carried out periodically for employees on data security.
8.30 Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
8.31 Confidentiality commitments are made.
8.32 The signed contracts contain data security provisions.
8.33 Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format.
8.34 Personal data security policies and procedures have been determined.
8.35 The security of environments containing personal data is ensured.
8.36 Personal data is reduced as much as possible.
8.37 In-house periodic and/or random audits are conducted and made.
8.38 There are protocols and procedures for special quality personal data security.
9. PERSONAL DATA DELETION TECHNIQUES
9.1 Personal Data on Servers: The system administrator removes the access authorization of the relevant users and deletes the personal data on the servers for those whose period has expired.
9.2 Personal Data in the Electronic Media: The personal data in the electronic media, whose period of time has expired, is rendered inaccessible and non-reusable for other employees (related users) except the database administrator.
9.3 Personal Data in the Physical Environment: Personal data kept in the physical environment is rendered inaccessible and unusable in any way for other employees, except for the unit manager responsible for the document archive, for those whose period has expired. In addition, the process of blackening is applied by drawing/painting/erasing in a way that cannot be read.
9.4 Personal Data in Portable Media: Personal data kept in flash-based storage media, which require storage, are encrypted by the system administrator and the access authorization is given only to the system administrator, and are stored in secure environments with encryption keys.
10. PERSONAL DATA DESTRUCTION TECHNIQUES
10.1 Personal Data in the Physical Media: Personal data in the paper media, which need to be kept, are irreversibly destroyed in the paper clipping machines.
10.2 Personal Data in Optical/Magnetic Media: The physical destruction of personal data in optical media and magnetic media, such as melting, burning or pulverizing, is applied. In addition, magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable.
11. TECHNIQUES FOR ANONYMIZING PERSONAL DATA
11.1 Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person, even by matching them with other data. The Company can anonymize personal data when the reasons that require the processing of personal data processed in accordance with the law are eliminated.
11.2 In accordance with Article 28 of the PDP Law; Anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the PDP Law. Since personal data processed by anonymization will be outside the scope of the PDP Law, the rights set out in section 10 of the policy will not be valid for this data.
11.3 Masking: Data masking is a method of anonymizing personal data by removing the basic identifying information of personal data from the data set. Example: The name that enables the identification of the personal data owner, Turkish Citizenship Identity No, name, surname etc. converting the personal data into a data set where it becomes impossible to identify the owner of the personal data by extracting the information.
11.4 Aggregation: With the data aggregation method, many data are aggregated and personal data is rendered unrelated to any person. Example: Revealing that there are 100 customers born in 1975 without showing individual customer’s birth years.
11.5 Data Derivation: With the data derivation method, a more general content is created than the content of the personal data and it is ensured that the personal data cannot be associated with any person. Example: Specifying ages instead of birth dates; specifying the county or city of residence instead of the full address.
11.6 Data Shuffling – Permutation): With the data shuffling method, the values in the personal data set are mixed and the bond between the values and the individuals is broken. Example: Changing the quality of the voice recordings so that the voices and the data owner cannot be associated or recognized.
11.7 Removing Variables: Removing one or more parts of the data that can be used to associate personal data with a natural person
12. PERSONAL DATA RETENTION AND DESTRUCTION PERIODS
12.1 Destruction processes are carried out upon the request of the person concerned, the decision of the Personal Data Protection Board or the expiration of the periodical destruction period.
12.1.1 Periodic Disposal: Periodic destruction period determined by the Data Controller is December and June of each year.
12.1.2 Destruction at the Request of the Relevant Person: Upon the request of the relevant person, destruction is carried out without delay, if the request is deemed appropriate, and in any case within 30 days from the notification of the request, and the relevant person is answered within the same period. The application and request processes of the relevant person are specified in the “Relevant Person Application Procedure”.
12.1.3 Destruction Upon Board Decision: In case of a decision regarding the destruction of personal data by the Personal Data Protection Board, it is carried out without delay and in any case within 30 days from the notification of the decision, and the Board is replied within the same period.
12.2 In the table below, the categories of data processed within the Data Controller, the processing and storage periods required by the legal and processing purpose, and the destruction period are listed.
12.3 Destruction of personal data not included in this table but included in the processes of the Data Controller, or updating the table and adding it; The Committee on the Protection of Personal Data is authorized to decide, provided that it is proportional to the Board Decisions and the purpose of processing personal data. In its decision, the PDP Law Commission ensures that the period complies with the principles in Article 4 of the PDP Law.
12.4 These records are kept for at least three years, excluding other legal obligations.
Table 2: Table Showing Retention Periods and Destruction Times
No | Data Subject Group | Period | Data Retention Period | Destruction Time |
1 | Employee Candidate | Employee Candidate Application and Evaluation processes (CV, photo, all documents received for job application) | 2 years | From the date of the First Application; at the first periodic disposal period after the expiration of the storage period, provided that it has not been recruited |
2 | Employee | Personnel File Processes (employment contract, identity, communication, driver’s license, legal action, disciplinary processes, personnel rights processes, CV, criminal record and other documents in the personnel file, audio-visual records, embezzlement transactions) | 15 years | In the first periodic destruction period after the expiration of the storage period from the date of leaving the job |
3 | Employee | Processes related to location information obtained with the vehicle tracking system | 2 years | In the first periodic destruction period after the expiration of the storage period from the date of data processing |
4 | Employee | Accounting, payment and financial processes regarding employee wages and other personal rights | 15 years | In the first periodic destruction period after the expiration of the storage period from the date of leaving the job |
5 | Employee | Transaction and content recording processes on e-mail, corporate accounts and devices established for the employee | 15 years | In the first periodic destruction period after the expiration of the storage period from the date of leaving the job |
6 | Employee | Employer’s health and safety records, personal health file and processes related to the approved book | 15 years | In the first periodic destruction period after the expiry of the storage period from the date of leaving the job |
7 | Employee | Corporate device, e-mail, phone usage contents and processes | 15 years | In the first periodic destruction period after the expiry of the storage period from the date of leaving the job |
8 | Employee | Workplace entry and exit payroll records | 15 years | In the first periodic destruction period after the expiry of the storage period from the date of leaving the job |
9 | Sales Officers of Contracted Stores | Sales transactions made by salespeople representing the store, personal data in Seller Portal Application and SalesPro Mobile Application | 10 years | At the first periodic destruction period after the last action of the revocation of the sales authorization, in any case |
10 | Employee
Visitor Website Visitor |
Transaction Security Processes (Internet usage IP log records, user log records, IP address) | 2 years | In the first period of periodic destruction after the expiration of the storage period from the date of registration |
11 | Employee
Visitor Anyone in Data Controller Locations |
Physical space security camera recording processes | 45 days | With the expiration of the retention period after recording |
12 | Visitor
Anyone in Data Controller Locations |
Physical space security entry-exit visitor registration processes | 5 years | In the first period of periodic destruction after the expiration of the storage period from the date of registration |
13 | All Contact Groups (Employees are Specified in a Separate Category) | Legal transaction processes | 10 years | In the first periodic destruction period after the expiration of the storage period from the date of the legal action |
14 | Suppliers, Partners and Customers | Customer transaction information (check, promissory note, invoice, request, complaint) | 10 years | In the first periodic destruction period after the expiry of the storage period from the date of the transaction |
15 | Suppliers, Partners and Customers | Call Center registration processes | 10 years | In the first periodic destruction period after the expiry of the storage period from the date of the transaction |
16 | Supplier, Business Partners and Customers, and Contracted Persons (Employees are Specified in a Separate Category) | Contract and Commercial Transaction Processes (Written or unwritten contract and its annexes, signature circular, contact information of the parties, delivery and shipment documents related to the contract) | 10 years | In the first periodic destruction period following the expiration of the retention period after the termination of the contract as well as the legal and de facto commercial relationship |
17 | All Contact Groups (Employees are Specified in a Separate Category) | Accounting and finance processes (payments made and received, invoices, financial documents, slips, statements) | 10 years | If the relationship is contractual, from the termination of the contract, as well as the legal and actual commercial relationship, in the first periodic destruction period following the expiration of the storage period, from the date of the transaction if the relationship is not contractual |
18 | Visitors | Website cookie information | It is stored for the periods specified on our website. | It is destroyed at the end of the periods specified on our website |
19 | Banks and Financial Institutions | Records of offers and transactions regarding the type and amount of credit offered to customers | 10 years | In the first periodic destruction period after the expiry of the storage period from the date of the offer and/or the completion of the transaction |
20 | Customers | Personal data and transaction records of customers, Files uploaded by customers, Records of shopping packages, payments and statuses created by customers through electronic commerce sites and physical stores, Records of the banks to which customers apply for loans, loan types, terms, amounts and application statuses |
10 years | In the first periodic destruction period after the expiry of the storage period from the date of the transaction |
13. PUBLICATION AND STORAGE OF THE POLICY
The policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website.
14. POLICY UPDATE PERIOD
The policy is reviewed as needed and the necessary sections are updated.
15. ENTERING INTO FORCE
The policy is deemed to have entered into force after it is announced to the employees and published on the website of the Data Controller.
16. DATA CONTROLLER INFORMATION
Title of the Data Controller
Mersis Number
E-Mail Address
Registered E-Mail Address
Physical Mail Address
Finso Finansal Teknoloji Çözümleri A.Ş.
0388143442200001
info@finso.com.tr
finsoteknoloji@fhs05.kep.tr
Küçükbakkalköy Mahallesi Kayışdağı Caddesi Allianz Plaza Sitesi No: 1 İç Kapı No: 108 Kat:29 Ataşehir-İstanbul, Turkey
ANNEXES
ANNEX-1: Disposal Memo Upon Relevant Person’s Request
ANNEX-2: Periodic Disposal Report